I have taken over part of a project from a colleague that uses Azure AD B2C.
At the moment we use the list of users in the old Azure portal to get the authentication tokens of users, which we can then tie in with the user entries in our own database. I.e. we copy-and-paste from the columns here:
It would be far more sensible to do this programatically.
The article Azure AD B2C Preview: Use the Graph API includes sample code to download. To get it running I needed these things:
<appSettings>
<add key="b2c:Tenant" value="[Enter tenant name, e.g. contoso.onmicrosoft.com]" />
<add key="b2c:ClientId" value="[Enter the client ID (a.k.a AppPrincipalId) as obtained from the Azure AD Powershell, e.g. 82692da5-a86f-44c9-9d53-2f88d52b478b]" />
<add key="b2c:ClientSecret" value="[Enter the client secret that you generated, e.g. ONHJGaI232VenJIboyg8hmTlyNXh0Ef0brRRRNWBRfc=]" />
</appSettings>
I can get the Tenant and the Application ID from the new Azure Portal portal:
and my colleague has passed me the client secret from when he made the directory.
Following the article I now compile the app and run
B2C Get-User
But instead of the expected list of users from our Azure AD B2C directory I get the error message
AADSTS70001: Application my-app-id is not supported for this API version.
Trace ID: a-guid
Correlation ID: another-guid
Timestamp: 2016-07-15 10:27:15Z
How do I programmatically get the users in my Azure AD B2C directory?
Run the powershell commands from here to register a new service principal:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/
This new service principal has it's own appId, and it's own client secret.
You mixed some of these (the AppId you chose is from an B2C application, not a B2C/AD Service principal)
Related
I have created a custom identity provider in adb2c for my openid connect server but getting error while running it through User Flow -
Setps I did :
Created a new openId Connectprovider.
Created a new user flow for open-id connect provider :
I am not sure how to debug this through adb2c as that's a quite generic error and if I am missing any steps.
This issue may cause if your client ID is incorrect in the web.config file for the app
Try to Open Web.config file for the app
In Web.config file,try to find the app key ida:ClientId.
The client ID provided in the portal for your app should be used as the value of the app key.
The file's modified section looks like
<appSettings>
<add key="ida:ClientId" value="**xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx**">
</appSettings>
Credits to MsDoc
I am trying to customize id token in Azure AD ..
I did the following steps :
1-Registered Azure AD application
2-Post extension:
https ://graph.microsoft.com/v1.0/applications/Object ID/extensionProperties
Payload : {"name":"test","dataType":"string","targetObjects":["User"]}
3-Create claim Mapping Policy
https ://graph.microsoft.com/v1.0/policies/claimsMappingPolicies
Payload
{"definition":[{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true","ClaimsSchema": [{"Source":"user","ExtensionID":"extension_Application (client)ID_test","JwtClaimType":"test"}]}}],"displayName":"test","isOrganizationDefault":true}
4-Post service principal
https: // graph.microsoft.com/v1.0/servicePrincipals/Object ID of the Managed application /claimsMappingPolicies/$ref
Payload : {"#odata.id":"https: //graph.microsoft.com/v1.0/policies/claimsMappingPolicies/(The policy Id I got from step 4"}
5- I patched a user
https: // graph.microsoft.com/v1.0/users/usreID
{"extension_Application (client)ID_test":"test"}
6- I edited the Mainifest
See Mainifest
6- I tired to get the ID token for the user I patched in step 5
https://login.microsoftonline.com/**tenant Id**/oauth2/v2.0/token
with headers(client_id,client_secret,scope:https://graph.microsoft.com/.default,usernam,password)
7- I decoded the token , I don't see "test" as part of the token
Not sure what I am missing here to customize the token
Screenshot to show that I am missing token configuration in the blade
Missing token configuration in the blade
Screenshot to show that I can't find permission : Directory.AccessAsUser.All
missing API permission
Once the extension claim setup is done, it can be used to store and retrieve data via graph as extension properties may not passed in id tokens, but can be retrieve by querying the user profile from the Graph. or The application can make use of graph client to pass the extension claims which are not taken from available optional claims from azure ad.
Please make sure to have the Directory.AccessAsUser.All ,Directory.Read.All,openId permissions granted.
Also please check with optional claims set in manifest .
Then check in token configuration, if it is valid claim.
References :
Emitting claims with data from directory schema extension attributes created for an application using Graph
azure-ad-custom-attributes-and-optional-claims-from-an-asp-dot-net-application
Edit:update 13/4/2022
Like you said in comments:
Like the Most obvious difference now ( Token configuration is not
available and api permssion for Directory.AccessAsUser.All is not
there)
I tried to check in which way i cannot be able to see those features in Overview blade of AAD portal.
I had all those features as i was using organizational Azure AD premium 2 licensed tenant.
But when i tried to create another tenant with same account and switched tenant to work on it and created an app registration. App registration blade doesn't have the token configuration and api permissions like Directory.AccessAsUser.All as you mentioned.
Then i realized its license is azure ad free account.
So from my point of view please try to utilize the pay as you go account or which the organization had been subscribed to premium license which would give a better experience .
Also you can check the ongoing issue here
Q&A missing-features-in-my-azure-ad-tenant.
active-directory-optionalclaims-example
When I run signupsignin user flow in Azure B2C portal to test Open ID Connect (external Azure Tenant login), received below error.
Sorry, but we're having trouble signing you in.
We track these errors automatically, but if the problem persists feel free to contact us. In the meantime, please try again.
Correlation ID: 6744ccb7-eb8d-47f6-bb0a-bcd2f84f5771
Timestamp: 2021-08-04 04:10:53Z
ConnectionTimeOut: An exception has occurred.
This article describes a similar error that occurs when you try to sign in to an app that's set up for Azure AD B2C
Cause: The client ID may be missing or incorrect in the Web.config file for the app.
Resolution
To fix this issue, follow these steps:
Open the Web.config file for the app.
In the Web.config file, find the app key ida:ClientId.
Replace the value of the app key with the client ID that is provided for your app in the Azure AD B2C admin portal.
The changed part of the file resembles the following:
<appSettings>
<add key="ida:ClientId" value="**xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx**">
</appSettings>
References:
troubleshooting-with-application-insights
azure-ad-b2c-importing-in-users
Could be the case:
Make sure you are using the API Key and API Key Secret.
Not the ClientId and Client Secret
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-twitter?pivots=b2c-user-flow
I am using Azure Active Directory B2C in an application(Xamarin.forms). When i try to call the azure login page (which is a sign-in-policy), i am prompted with the following error:
"We track these errors automatically, but if the problem persists feel free to contact us. In the meantime, please try again.
Correlation ID: xxxxxxx-xxxxxx-xxxxxx-xxxxxxx
Timestamp: 2021-01-28 17:08:40Z
AADB2C90011: The client id 'xxxxxxx-xxxxxx-xxxxxx-xxxxxxx' provided in the request does not match client id 'xxxxxxx-xxxxxx-xxxxxx-xxxxxxx' registered in policy"
i dont know what is going on, application id seems correct.
How do i fix it?
The client ID may be missing or incorrect in the Web.config file for the app.
You could have a try with follow these steps:
Open the Web.config file for the app.
In the Web.config file, find the app key ida:ClientId.
Replace the value of the app key with the client ID that is provided for your app in the Azure AD B2C admin portal.
The changed part of the file resembles the following:
<appSettings>
<add key="ida:ClientId" value="**xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx**">
</appSettings>
I have an Azure AD app (AAD App1) which has user assignment enabled. So only, users from a particular group let's say "Group A" can access any resource (let's say an Azure Function API) protected by that Azure AD app.
Now I have another daemon Azure function job, which needs to make an authenticated call to the above mentioned Azure function API. Since this is a daemon job, I have generated another Azure AD app (AAD App2) for this.
Below is my code to get access tokens:
string resourceId = "id of app used to authenticate azure function"; // AAD app ID used by the Azure function for authentication
string clientId = "id of app registered for the daemon job";// AAD app ID of your console app
string clientSecret = "secret of app registered for the daemon job"; // Client secret of the AAD app registered for console app
string resourceUrl = "https://blahblah.azurewebsites.net/api/events";
string domain = "<mytenant>.onmicrosoft.com"; //Tenant domain
var accessToken = await TokenHelper.GetAppOnlyAccessToken(domain, resourceId, clientId, clientSecret);
Now when I try to generate access token to access the Azure function API, I get an invalid grant error as below:
AdalException:
{"error":"invalid_grant","error_description":"AADSTS50105: Application
'' is not assigned to a role for the application
''.\r\nTrace ID:
6df90cf440-c16d-480e-8daf-2349ddef3800\r\nCorrelation ID:
4c4bf7bf-2140-4e01-93e3-b85d1ddfc09d4d\r\nTimestamp: 2018-05-09
17:28:11Z","error_codes":[50105],"timestamp":"2018-05-09
17:28:11Z","trace_id":"690cf440-c16d-480e-8daf-2349ddef3800","correlation_id":"4c4bf7bf-2140-4e01-93ef3-b85d1dc09d4d"}:
Unknown error
I am able to properly generate AAD access tokens if I disable the user assignment.
I am trying to avoid creating a service account here. Is there anyway I can add an app principal to an Azure AD group or add it as a member of another Azure AD app?
Unfortunately, you cannot add an AAD application/service principal as a member of Azure AD group.
I have confirmed this issue in My Answer for another similar question [EDIT - now seems to be possible, see said answer]
You can also upvote this idea in our Feedback Forum. Azure AD Team will review it.
Hope this helps!